[prev in list] [next in list] [prev in thread] [next in thread] 

List:       activemq-users
Subject:    Re: [ANNOUNCE] CVE-2020-13932 Apache ActiveMQ Artemis - Remote XSS in Web console Diagram Plugin
From:       Arun Magesh <arun.m () payatu ! com>
Date:       2020-07-21 13:44:50
Message-ID: CAH73XYMMiNBoGz9yzy6Uzs=2fKoDmPMbROmg9zbX5KaCT8VNkA () mail ! gmail ! com
[Download RAW message or body]


Thanks, Gary for the update..

On Mon, Jul 20, 2020 at 9:44 PM Gary Tully <gtully@apache.org> wrote:

> Apache ActiveMQ Artemis - Remote XSS in Web console Diagram Plugin
>
> Severity: Medium
>
> Vendor: The Apache Software Foundation
>
> Affected Version: Apache ActiveMQ Artemis 2.5.0 to 2.13.0
>
> Vulnerability details:
> A specifically crafted MQTT packet which has an XSS payload as
> client-id or topic name can exploit this vulnerability. The XSS
> payload is being injected into the admin console's browser. The XSS
> payload is triggered in the diagram plugin; queue node and the info
> section.
>
> Mitigation:
> Upgrade to Apache ActiveMQ Artemis 2.14.0
>
> Credit: This issue was discovered by Arun Magesh from Payatu Software Labs
>
> see:
> https://activemq.apache.org/security-advisories.data/CVE-2020-13932-announcement.txt
>


-- 


Warm Regards,
M.Arun Magesh
Security Researcher,
Payatu Technologies Pvt Ltd
+919686346260
                                                 ~~~~~~~~~~~ God
speed~~~~~~~~~~~
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.


[prev in list] [next in list] [prev in thread] [next in thread]